From faf5e19aaedfa5ec70ddde2ba7be60909899616a Mon Sep 17 00:00:00 2001
From: yexo <yexo@openttd.org>
Date: Tue, 6 Apr 2010 21:16:36 +0000
Subject: (svn r19569) -Fix: possible buffer underflow in newgrf string code

---
 src/newgrf_text.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/newgrf_text.cpp')

diff --git a/src/newgrf_text.cpp b/src/newgrf_text.cpp
index 6cf10f1c8..a564e1917 100644
--- a/src/newgrf_text.cpp
+++ b/src/newgrf_text.cpp
@@ -636,7 +636,7 @@ void RewindTextRefStack()
  * @param argv  the OpenTTD stack of values
  * @return the string control code to "execute" now
  */
-uint RemapNewGRFStringControlCode(uint scc, char **buff, const char **str, int64 *argv)
+uint RemapNewGRFStringControlCode(uint scc, char *buf_start, char **buff, const char **str, int64 *argv)
 {
 	if (_newgrf_textrefstack->used) {
 		switch (scc) {
@@ -663,7 +663,7 @@ uint RemapNewGRFStringControlCode(uint scc, char **buff, const char **str, int64
 
 			case SCC_NEWGRF_ROTATE_TOP_4_WORDS:   _newgrf_textrefstack->RotateTop4Words(); break;
 			case SCC_NEWGRF_PUSH_WORD:            _newgrf_textrefstack->PushWord(Utf8Consume(str)); break;
-			case SCC_NEWGRF_UNPRINT:              *buff -= Utf8Consume(str); break;
+			case SCC_NEWGRF_UNPRINT:              *buff = max(*buff - Utf8Consume(str), buf_start); break;
 
 			case SCC_NEWGRF_PRINT_STRING_ID:
 				*argv = TTDPStringIDToOTTDStringIDMapping(_newgrf_textrefstack->PopUnsignedWord());
-- 
cgit v1.2.3-54-g00ecf